Sunday, February 14, 2010

Oracle Database Firewall

Oracle Database Firewall
Oracle Database Firewall works on the network, transparent to database servers and applications, and can be quickly deployed.
Oracle Database Firewall provides a centralized management console for monitoring multiple databases simultaneously and supports parallel devices for high availability deployments. Optional host-based agents can provide low-impact local monitoring capabilities.
Prerequisites for Database Firewall Impementation
Privileges Required to Perform the Installation: Any trusted user can install Oracle Database Firewall. You do not need administrative privileges to complete the installation.
Database Firewall and Management Server Hardware Requirements:
You must install each Database Firewall and Management Server onto a Linux server, which will be used solely for Oracle Database Firewall. The requirements for each are the same. Remember that the installation process re-images the computer, so do not use a computer that is used for other activities.
Checking the System Architecture:

  • Each Linux server must be Linux 32-bit.

Checking the Memory Requirements:

  • Each Linux server must have at minimum 1 GB of RAM.

Checking the Disk Space:

  • Each Linux server must have at minimum 80 GB of disk space.

Checking the Network Interface Cards:

  • You must have a minimum of three ports for each Linux server that you will use for Database Firewall and Management Server. One network interface card (NIC) with three ports is sufficient.

Supported Database Versions:
This database (also called the protected databases) is the database that you will monitor using Oracle Database Firewall. The following database products are supported:
Oracle Database 8i, Oracle Database 9i, Oracle Database 10g, Oracle Database 11.1.x, and Oracle Database 11.2.x (including Release 11.2.0.2).
Supported Language and Character Sets:
Oracle Database Firewall is available in English only, but can support Unicode character sets.

Steps to impement Oracle Database Firewall:
Step 1: Set the Standalone Database Firewall Date and Time
Step 2: Specify the Management Server NTP Time Server
Step 3: Specify the Standalone Database Firewall Network Settings
Step 4: Enable Secure Log Access
Step 5: Configure the Standalone Database Firewall Syslog Destinations
Step 6: Configure the Standalone Database Firewall Enforcement Points
Step 7: Configure the Standalone Database Firewall Bridge IP Address
Step 8: Test the Standalone Database Firewall System Operation

Oracle Advanced Security

Oracle Advanced Security

Configuring advanced security features for an Oracle database instance includes configuring encryption, integrity (checksumming), and strong authentication methods for Oracle Net Services. Strong authentication method configuration can include third-party software, as is the case for Kerberos or RADIUS, or it may entail configuring and managing a public key infrastructure for using digital certificates with Secure Sockets Layer (SSL).

Authentication Method System Requirements:

Kerberos:
MIT Kerberos Version 5, release 1.1 or above.
The Kerberos authentication server must be installed on a physically secure system.
RADIUS:
A RADIUS server that is compliant with the standards in the Internet Engineering Task Force (IETF) RFC #2138, Remote Authentication Dial In User Service (RADIUS) and RFC #2139 RADIUS Accounting.
To enable challenge-response authentication, you must run RADIUS on an operating system that supports the Java Native Interface as specified in release 1.1 of the Java Development Kit from JavaSoft.
SSL:
A wallet that is compatible with the Oracle Wallet Manager 10g release. Wallets created in earlier releases of the Oracle Wallet Manager are not forward compatible.
Entrust/PKI:
Entrust IPSEC Negotiator Toolkit Release 6.0
Entrust/PKI 6.0

1.Network Encryption and Strong Authentication Configuration Tools:

Oracle Net Services can be configured to encrypt data using standard encryption algorithms, and for strong authentication methods, such as Kerberos, RADIUS, and SSL. The following sections introduce the Oracle tools you can use to configure these advanced security features for an Oracle Database:

Oracle Net Manager

Oracle Advanced Security Kerberos Adapter Command-Line Utilities

Oracle Net Manager


Oracle Net Manager is a graphical user interface tool, primarily used to configure Oracle Net Services for an Oracle home on a local client or server host.
Although you can use Oracle Net Manager to configure Oracle Net Services, such as naming, listeners, and general network settings, it also enables you to configure the following Oracle Advanced Security features, which use the Oracle Net protocol:

  • Strong authentication (Kerberos, RADIUS, and Secure Sockets Layer)
  • Network encryption (RC4, DES, Triple-DES, and AES)
  • Checksumming for data integrity (MD5, SHA-1)

Oracle Advanced Security Kerberos Adapter Command-Line Utilities:
The Oracle Advanced Security Kerberos adapter provides three command-line utilities that enable you to obtain, cache, display, and remove Kerberos credentials. The following table briefly describes these utilities:
okinit:
Obtains Kerberos tickets from the key distribution center (KDC) and caches them in the user's credential cache
oklist:
Displays a list of Kerberos tickets in the specified credential cache okdstry:
Removes Kerberos credentials from the specified credential cache

2:Public Key Infrastructure Credentials Management Tools
The security provided by a public key infrastructure (PKI) depends on how effectively you store, manage, and validate your PKI credentials. The following Oracle tools are used to manage certificates, wallets, and certificate revocation lists so your PKI credentials can be stored securely and your certificate validation mechanisms kept current:

  • Oracle Wallet Manager
  • orapki Utility


Oracle Wallet Manager:
Oracle Wallet Manager is an application that wallet owners and security administrators use to manage and edit the security credentials in their Oracle wallets. A wallet is a password-protected container that is used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL. You can use Oracle Wallet Manager to perform the following tasks:


  • Create public and private key pairs
  • Store and manage user credentials
  • Generate certificate requests
  • Store and manage certificate authority certificates (root key certificate and certificate chain)
  • Upload and download wallets to and from an LDAP directory
  • Create wallets to store hardware security module credentials


orapki Utility:
The orapki utility is a command line tool that you can use to manage certificate revocation lists (CRLs), create and manage Oracle wallets, and to create signed certificates for testing purposes.
The basic syntax for this utility is as follows:
orapki module command -option_1 argument ... -option_n argument

Data Masking

Oracle Data Masking:

Oracle released the Applications Management Pack (AMP) for Enterprise Manager. One of the interesting features about the AMP is that it provides the ability to do data masking when cloning data from a production environment to a secondary environment where testing is done. This data masking ensures that confidential information such as SSN, compensation and health information is not revealed to those with access to testing environments.

What is confusing is that Oracle has also released a Data Masking Pack (DMP) for Enterprise Manager, however the data masking capabilities are different from those in AMP. DMP was announced in November 07. With this confusion in mind, here is some information about the data masking capabilities of DMP and a comparison of the two later in the article.

The Data Masking Pack ships with several mask primitives out of the box, such as Fixed values, Array of Values, Random Digits (zero padded), Random numbers, Random alphabetic characters of specified lengths, Random dates within a date range, Substring of original value, External table columns containing replacement mask data, and Shuffle within same table. If these options are not enough, it also supports user-defined functions written in PL/SQL to provide unlimited flexibility in creating mask formats. All of these mentioned primitives can be combined to create unlimited numbers of mask formats needed for masking any type of sensitive data. One note about Shuffling. The shuffling algorithm shuffles the data in the column, i.e. retains the data histogram, but removes the association of the original column data to the row.

The Data Masking Pack (DMP) supports only masking of Oracle database tables and columns and does not work on other data formats like Excel or plain text files. DMP generates logs of the masking process and Enterprise Manager has a built-in reporting engine that can be used to generate reports. It also provides the ability to preview the sample masked data prior to the masking process.

The key feature with any data masking solution is whether it maintains relational integrity. This requires that any data masking cannot break the relationship between one or tables. An example would be when masking is done for SSN and the SSN is used as a foreign key to another table. For this reason DMP supports database enforced and application enforced referential integrity. It also supports the definition of any application relationships, including Oracle Financials and is certified for use with them.

Lastly, the Enterprise Manager has a built in scheduler that can be used to run the database cloning and the data masking processes. The script generated by the tool can be registered and run as a concurrent manager job.

Audit Vault

Audit Vault

Components of Oracle Audit Vault


  • Source Databases
  • Oracle Audit Vault Server
  • Audit Vault Collection Agent and Collectors


Source Databases
A source database is a database from which Oracle Audit Vault collects audit data.
Oracle Audit Vault can collect this audit data from the internal audit trail tables and
operating system audit trail files of a source database.
Supported Database Versions:
Oracle Database For the OSAUD and DBAUD collector types: Releases
9.2.x, 10.1.x, 10.2.x, and 11.x
For the REDO collector type: Enterprise Edition
Releases 9.2.0.8, 10.2.0.3, 10.2.0.4 and later, 11.1.0.6 and later, and 11.2 for the REDO collector type
Oracle Audit Vault Server
The Oracle Audit Vault Server contains the tools necessary to configure Oracle Audit
Vault to collect audit data from your source databases. The Audit Vault Server also
contains an Oracle database, and makes it available to reporting tools through a data
warehouse.
What Are Collection Agents and Collectors?
A collector retrieves the audit trail data from a source database and sends it to the
Audit Vault Server. The collection agent manages the collectors. The collectors send
both valid and invalid audit records, get configuration information, and send error
records using Oracle Call Interface (OCI) and JDBC password-based authentication. If
the collection agent is stopped, then the source database will still create an audit trail
(assuming auditing is enabled). The next time you restart the collection agent, then
Oracle Audit Vault retrieves the audit data that had been accumulating since the agent
was stopped.
You configure one collection agent for each host and one or more collectors for each
individual source database. For example, if a host contains four databases, then you
would configure one collection agent for that host and one or more collectors for each
of the four databases. The number of collectors that you configure and the collection
agent that you use to manage them depends on the source database type and the audit
trails that you want to collect from it.
Oracle Audit Vault Collection Agent Prerequisites:

  • The system must meet the following minimum hardware requirements:
  • At least 512 MB of available physical memory (RAM)
  • Swap space of 1024 MB or twice the size of RAM
  • 400 MB of disk space in the /tmp directory
  • 1 GB of disk space is required for the Oracle Audit Vault collection agent software.

Oracle Audit Vault Server Prerequisites: (for Linux)


  • At least 1 GB of physical RAM.
  • The following table describes the relationship between installed RAM and the configured swap space requirement.
  • Up to 512 MB 2 times the size of RAM
  • Between 1024 MB and 2048 MB 1.5 times the size of RAM
  • Between 2049 MB and 8192 MB Equal to the size of RAM
  • More than 8192 MB 0.75 times the size of RAM


  • 400 MB of disk space in the /tmp directory.
  • 4 GB of disk space for the Oracle Audit Vault Server software.
  • 1.6 GB of additional disk space for the Audit Vault Server database files in the
  • Oracle Base. This is only if the database storage option is on the file system. For other storage options, such as ASM, the database files will be stored elsewhere.

Also, this 1.6 GB disk space is only the starting size.

Oracle Audit Vault Server Prerequisites: (for AIX)


  • At least 1024 MB of physical RAM. The following table describes the relationship between installed RAM and theconfigured swap space requirement.
  1. Between 1024 MB and 2048 MB 1.5 times the size of RAM
  2. Between 2049 MB and 8192 MB Equal to the size of RAM
  3. More than 8192 MB 0.75 times the size of RAM


  • 400 MB of disk space in the /tmp directory.
  • 8 GB of disk space for the Oracle Audit Vault Server software.
  • 1.8 GB of additional disk space for the Audit Vault Server database files in the
  • Oracle Base. This is only if the database storage option is on the file system. For other storage options, such as ASM, the database files will be stored elsewhere.

Also, this 1.8 GB disk space is only the starting size. The Oracle Audit Vault
administrator must take future growth of the database size into consideration,
especially as the server collects more and more audit data.

Administrative Tools for Managing Oracle Audit Vault:
You can use the following tools to administer Oracle Audit Vault:
Audit Vault Console. This graphical user interface provides most of the
functionality that you need to administer Oracle Audit Vault.
Audit Vault Configuration Assistant (AVCA) command-line utility. Use AVCA to
perform operations such as adding, deploying, and dropping agents, or managing
wallets.
Audit Vault Control (AVCTL) command-line utility. Use AVCTL to load, refresh,
start, and stop Oracle Audit Vault collection agents and collectors. You also can
load and purge data in the Oracle Audit Vault data warehouse with this utility.
Audit Vault Oracle Database (AVORCLDB) command-line utility. Use
AVORCLDB to configure Oracle Database source databases with Oracle Audit
Vault.

Oracle Audit Vault Steps:

  • Create a User Account on the Oracle Source Database
  • Verify That the Source Database Is Compatible with the Collectors
  • Register the Oracle Source Database with Oracle Audit Vault
  • Add the Oracle Collectors to Oracle Audit Vault
  • Enable the Audit Vault Agent to Run the Oracle Database Collectors

Oracle Database Vault

Features:

  • Protect application data from privileged users
  • Customizable separation-of-duty
  • Real time preventive controls
  • Out-of-the-box policies available for Oracle E-Business Suite, Siebel, PeopleSoft and JD Edwards EnterpriseOne Applications.


Oracle Database Vault enables you to restrict administrative access to an Oracle
database. This helps you address the most difficult security problems remaining today:
protecting against insider threats, meeting regulatory compliance requirements, and
enforcing separation of duty.
Oracle Database Vault Included in the Oracle Database Installation:
Starting with this release (11g) , Oracle Database Vault is included as an installed program
with Oracle Database, except that you must register it with the database (similar to
Oracle Label Security). You no longer must run Oracle Universal Installer to enable
Database Vault.
Integration with Oracle Enterprise Manager:
You now can perform a set of Oracle Database Vault functions from both Oracle
Database Enterprise Manager Database Control Release 11.2 and Grid Control Release
10.2.0.5. This integration also applies to Releases 9.2.0.8, 10.2.0.4, and 11.1.0.7 of Oracle Database Vault.
Components of Oracle Database Vault:

Oracle Database Vault has the following components:
Oracle Database Vault Access Control Components
Oracle Database Vault Administrator
Oracle Database Vault Configuration Assistant
Oracle Database Vault DVSYS and DVF Schemas
Oracle Database Vault PL/SQL Interfaces and Packages
Oracle Database Vault and Oracle Label Security PL/SQL APIs
Oracle Database Vault Reporting and Monitoring Tools


Oracle Database Vault Implementation:

Checking if Oracle Database Vault Is Enabled You can check if Oracle Database Vault is enabled by logging in to SQL*Plus and entering the following SELECT statement. The
PARAMETER column is case sensitive, so use the case shown here.
SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';

To register Oracle Database Vault:
1. Stop the database, Database Control console process, and listener.
UNIX: Log in to SQL*Plus as user SYS with the SYSOPER privilege and shut
down the database. Then from the command line, stop the Database Control
console process and listener.
For example:
sqlplus sys as sysoper
Enter password: password
SQL> SHUTDOWN IMMEDIATE
SQL> EXIT
$ emctl stop dbconsole
$ lsnrctl stop [listener_name]
For Oracle RAC installations, shut down each database instance as follows:
$ srvctl stop database -d db_name
2. Enable Oracle Database Vault as follows:
UNIX: Run the following commands. The make command enables both Oracle
Database Vault (dv_on) and Oracle Label Security (lbac_on). You must
enable Oracle Label Security before you can use Database Vault.
$ cd $ORACLE_HOME/rdbms/lib
$ make -f ins_rdbms.mk dv_on lbac_on ioracle
3. Restart the database and listener. (Do not restart the Database Control console
process yet.)
UNIX: Log in to SQL*Plus as user SYS with the SYSOPER privilege and restart
the database. Then from the command line, restart the listener.
For example:
sqlplus sys as sysoper
Enter password: password
SQL> STARTUP
SQL> EXIT
$ lsnrctl start [listener_name]
For Oracle RAC installations, restart each database instance as follows:
$ srvctl start database -d db_name
4. Start Database Configuration Assistant.
UNIX: Enter the following command at a terminal window:
dbca
5. In the Welcome page, click Next.
The Operations page appears.
6. Select Configure Database Options, and then click Next.
The Database page appears.
7. From the list, select the database where you installed Oracle Database and then
enter the name and password of a user who has been granted the DBA role. Click
Next.
The Database Content page appears.
8. Perform one of the following actions:
If Oracle Label Security is already enabled: Select the Oracle Database Vault
option, and then click Next.
If Oracle Label Security is not enabled: Select the Oracle Label Security
option so that the Oracle Database Vault option becomes available for
selection. Select the Oracle Database Vault option as well, and then click Next.
The Oracle Database Vault Credentials page appears.
9. Specify the name and password for the Database Vault Owner account (for
example, DBVOWNER) and the Database Vault Account Manager (for example,
DBVACCTMGR).
10. Click Next.
The Connection Mode page appears.
11. Select either Dedicated Server Mode or Shared Server Mode (depending on the
selection you made when you created this database), click Finish, and then click
OK in the confirmation prompts.
Database Configuration Assistant registers Oracle Database Vault, and then
restarts the database instance.
12. Exit Database Configuration Assistant.
13. Restart the Database Control console process.
UNIX: Run the following command:
$ emctl start dbconsole

Wednesday, February 3, 2010

Downgrading a Database

Step 1:

Check the compatibility level of your database to see if the database might have incompatibilities that prevent you from downgrading. If the compatibility level of your Oracle Database 11g Release 1 (11.1) database is 11.0.0 or higher, then you are not able to downgrade.
To check the current value of the COMPATIBLE initialization parameter, enter the following SQL statement:
SQL> SELECT name, value, description FROM v$parameter
WHERE name = 'compatible';






Step 2:

Perform a full Backup of your 11g Database.

Step 3:
Log in to the system as the owner of the Oracle Database 11g Release 1 (11.1) Oracle home directory.
Note: This step is required only if Enterprise Manager Database Control is already configured for the database.
Stop the Database Control, as follows:
1. Set the ORACLE_SID environment variable to the databaseSid
2. Run the following command:
3. ORACLE_HOME/bin/emctl stop dbconsole
Step 4:

• At a system prompt, change to the ORACLE_HOME/rdbms/admin directory.
• Start SQL*Plus.
• Connect to the database instance as a user with SYSDBA privileges.
• Start up the instance in DOWNGRADE mode:

SQL> STARTUP DOWNGRADE


Step 5:
• Drop the SYSMAN schema:
SQL> DROP USER sysman CASCADE;

Step 6:
• Set the system to spool results to a log file for later verification of success:
SQL> SPOOL downgrade.log
• Run catdwgrd.sql:
SQL> @catdwgrd.sql
• Turn off the spooling of script results to the log file:
SQL> SPOOL OFF
• Shut down the instance:
SQL> SHUTDOWN IMMEDIATE

Exit SQL*Plus.

In case if the downgrade is to be done on windows please complete the following steps:

• Stop all Oracle services, including the OracleServiceSID Oracle service of the Oracle database 11g Release 1 (11.1) database, where SID is the instance name.
For example, if your SID is ORCL, then enter the following at a command prompt:
C:\> NET STOP OracleServiceORCL
• Delete the Oracle service at a command prompt by issuing the ORADIM command. For example, if your SID is ORCL, then enter the following command:
C:\> ORADIM -DELETE -SID ORCL

• Create the Oracle service of the database that you are downgrading at a command prompt using the ORADIM command.
C:\> ORADIM -NEW -SID SID -INTPWD PASSWORD -MAXUSERS USERS
-STARTMODE AUTO -PFILE ORACLE_HOME\DATABASE\INITSID.ORA

Step 7:

• Install the Oracle Software Version to which the database is to be downgraded.
• Set ORACLE_HOME
• Set PATH

Step 8:

Restore the configuration files (for example, parameter files, password files, and so on) of the release to which you are downgrading.

Step 9:

• At a system prompt, change to the ORACLE_HOME/rdbms/admin directory of the previous release.
• Start SQL*Plus.
• Connect to the database instance as a user with SYSDBA privileges.
• Start up the instance:
SQL> STARTUP UPGRADE
• Set the system to spool results to a log file for later verification of success:
SQL> SPOOL reload.log
• Run catrelod.sql:
SQL> @catrelod.sql
o If you are downgrading to release 10.1.0.5 and you have XDB in your database, then run the following script after running catrelod.sql:
@dbmsxdbt.sql
• Turn off the spooling of script results to the log file:
SQL> SPOOL OFF
• Shut down and restart the instance for normal operation:
SQL> SHUTDOWN IMMEDIATE
SQL> STARTUP
You might be required to use the PFILE option to specify the location of your initialization parameter file.
• Run the utlrp.sql script:
SQL> @utlrp.sql
The utlrp.sql script recompiles all existing PL/SQL modules that were previously in an INVALID state, such as packages, procedures, types, and so on.
• Exit SQL*Plus.

Your database is now downgraded.